A documentação de systemd-resolve
diz:
The DNS servers contacted are determined from the global settings in /etc/systemd/resolved.conf, the per-link static settings in /etc/systemd/network/*.network files, the per-link dynamic settings received over DHCP and any DNS server information made available by other system services.
Acho que isso explica o seu sinal Global
.
DNSSEC NTA significa Âncora de Confiança Negativa DNSSEC. Isso se aplica a domínios que não estão assinados ou não assinaram corretamente para "substituir" dados do DNSSEC, desabilitando a validação do DNS para o domínio específico. Veja RFC7646, que cito:
NTAs are configured locally on a validating DNS recursive resolver to shield end users from DNSSEC-related authoritative name server operational errors. NTAs are intended to be temporary and only implemented by the organization requiring an NTA (and not distributed by any organizations outside of the administrative boundary).